=============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
=============================================================
Volume 2.09 August 21, 1995
-------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, DC
info@epic.org
http://www.epic.org
*Special Edition: Crypto*
=======================================================================
Table of Contents
=======================================================================
[1] "New" Crypto Policy Announced: Clipper II?
[2] NIST Announcement on Key-Escrow Workshops
[3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption
[4] EPIC Crypto Web Pages Online
[5] Upcoming Conferences and Events
=======================================================================
[1] "New" Crypto Policy Announced: Clipper II?
=======================================================================
The Clinton Administration ended a year of silence on August 17 when
it issued a long-awaited statement on the Clipper Chip and key-escrow
encryption. Unfortunately, the "new" policy is merely a re-working of
the old one -- the Administration remains committed to key-escrow
techniques that ensure government agents access to encrypted
communications. The only changes are a willingness to consider the
export of 64-bit encryption (if "properly escrowed"), the possibility
of private sector escrow agents to serve as key-holders, and
consideration of software implementations of key-escrow technologies.
As EPIC Advisory Board member Whit Diffie observed in an op-ed piece
in the New York Times, the new approach won't work. "While other
nations may share our interest in reading encrypted messages for law
enforcement purposes, they are unlikely to embrace a system that
leaves them vulnerable to U.S. spying. They will reject any system
that gives decoding ability to agents in the United States." Diffie
further notes that "64-bit keys are not expected to be adequate."
In a statement re-printed below, the National Institute of Standards
and Technology (NIST) announced two public workshops "to discuss key
escrow issues." More information concerning these meetings can be
obtained from Arlene Carlton at NIST, (301) 975-3240, fax: (301)
948-1784, e-mail: carlton@micf.nist.gov.
=======================================================================
[2] NIST Announcement on Key-Escrow Workshops
=======================================================================
EMBARGOED FOR RELEASE: NIST 95-24
3 p.m. EDT, Thursday, Aug. 17, 1995
Contact: Anne Enright Shepherd COMMERCE'S NIST ANNOUNCES
(301) 975-4858 PROCESS FOR DIALOGUE ON
KEY ESCROW ISSUES
Furthering the Administration's commitment to defining a
workable key escrow encryption strategy that would satisfy
government and be acceptable to business and private users of
cryptography, the Commerce Department's National Institute of
Standards and Technology announced today renewed dialogue on key
escrow issues.
A Sept. 6-7 workshop will convene industry and government
officials to discuss key escrow issues, including proposed
liberalization of export control procedures for key escrow
software products with key lengths up to 64 bits, which would
benefit software manufacturers interested in building secure
encryption products that can be used both domestically and
abroad.
Key escrow encryption is part of the Administration's
initiative to promote the use of strong techniques to protect the
privacy of data and voice transmissions by companies, government
agencies and others without compromising the government's ability
to carry out lawful wiretaps.
In a July 1994 letter to former Rep. Maria Cantwell, Vice
President Gore said that the government would work on developing
exportable key escrow encryption systems that would allow escrow
agents outside the government, not rely on classified algorithms,
be implementable in hardware or software, and meet the needs of
industry as well as law enforcement and national security. Since
that time, discussions with industry have provided valuable
guidance to the Administration in the development of this policy.
For example, many companies are interested in using a corporate
key escrow system to ensure reliable back-up access to encrypted
information, and the renewed commitment should foster the
development of such services.
Consideration of additional implementations of key escrow
comes in response to concerns expressed by software industry
representatives that the Administration's key escrow policies did
not provide for a software implementation of key escrow and in
light of the needs of federal agencies for commercial encryption
products in hardware and software to protect unclassified
information on computer and data networks.
Officials also announced a second workshop at which industry
is invited to help develop additional Federal Information
Processing Standards for key escrow encryption, specifically to
include software implementations. This standards activity would
provide federal government agencies with wider choices among
approved key escrow encryption products using either hardware or
software. Federal Information Processing Standards provide
guidance to agencies of the federal government in their
procurement and use of computer systems and equipment.
Industry representatives and others interested in joining
this standards-development effort are invited to a key escrow
standards exploratory workshop on Sept. 15 in Gaithersburg, Md.
This workshop is an outgrowth of last year's meetings in which
government and industry officials discussed possible technical
approaches to software key escrow encryption.
The Escrowed Encryption Standard, a Federal Information
Processing Standard for use by federal agencies and available for
use by others, specifies use of a Key Escrow chip (once referred
to as "Clipper chip") to provide strong encryption protection for
sensitive but unclassified voice, fax and modem communications
over telephone lines. Currently, this hardware-based standard is
the only FIPS-approved key escrow technique. NIST officials
anticipate proposing a revision to the Escrowed Encryption
Standard to allow it to cover electronic data transmitted over
computer networks. Under this revised federal standard, the
Capstone chip and other hardware-based key escrow techniques
developed for use in protecting such electronic data also will be
approved for use by federal agencies.
As a non-regulatory agency of the Commerce Department's
Technology Administration, NIST promotes U.S. economic growth by
working with industry to develop and apply technology,
measurements and standards.
=======================================================================
[3] Documents: FBI & NSA Want to Ban Non-Escrowed Encryption
=======================================================================
On a related note ...
Declassified government documents recently obtained by EPIC show
that key federal agencies concluded more than two years ago that the
"Clipper Chip" key-escrow initiative will only succeed if alternative
security techniques are outlawed. The information is contained in
several hundred pages of material concerning Clipper and cryptography
EPIC obtained from the FBI under the Freedom of Information Act.
The conclusions contained in the documents appear to conflict
with frequent Administration claims that use of key-escrow technology
will remain "voluntary." Critics of the government's initiative,
including EPIC, have long maintained that government-sanctioned key-
escrow encryption techniques would only serve their stated purpose if
made mandatory. According to the FBI documents, that view is shared by
the Bureau, the National Security Agency (NSA) and the Department of
Justice (DOJ).
In a "briefing document" titled "Encryption: The Threat,
Applications and Potential Solutions," and sent to the National
Security Council in February 1993, the FBI, NSA and DOJ concluded that:
Technical solutions, such as they are, will only work if
they are incorporated into *all* encryption products. To
ensure that this occurs, legislation mandating the use of
Government-approved encryption products or adherence to
Government encryption criteria is required.
Likewise, an undated FBI report titled "Impact of Emerging
Telecommunications Technologies on Law Enforcement" observes that
"[a]lthough the export of encryption products by the United States is
controlled, domestic use is not regulated." The report concludes that
"a national policy embodied in legislation is needed." Such a policy,
according to the FBI, must ensure "real-time decryption by law
enforcement" and "prohibit[] cryptography that cannot meet the
Government standard."
The FBI conclusions stand in stark contrast to public assurances
that the government does not intend to prohibit the use of non-
escrowed encryption. Testifying before a Senate Judiciary
Subcommittee on May 3, 1994, Assistant Attorney General Jo Ann
Harris asserted that:
As the Administration has made clear on a number of occasions,
the key-escrow encryption initiative is a voluntary one; we
have absolutely no intention of mandating private use of a
particular kind of cryptography, nor of criminalizing the
private use of certain kinds of cryptography.
The newly-disclosed information suggests that the architects of
the key-escrow program -- NSA and the FBI -- have always recognized
that key-escrow must eventually be mandated. Coming to light on the
eve of the announcement of a "new" Administration policy, the FBI
documents raise significant questions as to the government's long-term
strategy on the cryptography issue.
Scanned images of several key documents are available via the
World Wide Web at http://www.epic.org/crypto/ban/fbi_dox/
=======================================================================
[4] EPIC Crypto Policy Web Pages Online
=======================================================================
EPIC is now making available an extensive series of pages on
cryptography policy. Each page highlights an area of controversy and
provides links to key documents. Materials include formerly secret
government documents obtained under FOIA by EPIC and CPSR, reports
from the Office of Technology Assessment, the General Accounting
Office and others on cryptography. Topics include:
o Efforts to ban cryptography
o The Clipper Chip
o The Digital Signature Standard
o The Computer Security Act of 1987
The pages are available at http://www.epic.org/crypto/ More pages
will become available soon.
=======================================================================
[5] Upcoming Privacy Related Conferences and Events
=======================================================================
Advanced Surveillance Technologies. Sept. 4, 1995. Copenhagen,
Denmark. Sponsored by Privacy International and EPIC. Contact
pi@privacy.org. http://www.privacy.org/pi/conference/
17th International Conference of Data Protection and Privacy
Commissioners. Copenhagen, Denmark. September 6-8, 1995. Sponsored by
the Danish Data Protection Agency. Contact Henrik Waaben, +45 33 14 38
44 (tel), +45 33 13 38 43 (fax).
InfoWarCon '95. September 7-8, 1995. Arlington, VA. Sponsored by NCSA
and OSS. Email: 74777.3033@compuserve.com.
Business and Legal Aspects of Internet and Online Services. Sept.
14-15. New York City. Sponsored by National Law Journal and New York
Law Journal. Contact: (800)888-8300, ext. 6111, or (212)545-6111.
The Good, the Bad, and the Internet: A Conference on Critical Issues
in Information Technology. October 7-8. Chicago, Ill. Sponsored by
CPSR. Contact cpsr@cpsr.org or
http://www.cs.uchicago.edu/discussions/cpsr/annual
18th National Information Systems Security Conference. Oct. 10-13.
Baltimore, MD. Sponsored by NSA and NIST. Contact: 301-975-3883.
Managing the Privacy Revolution. Oct. 31 - Nov. 1, 1995. Washington,
DC. Sponsored by Privacy & American Business. Speakers include Mike
Nelson (White House) C.B. Rogers (Equifax) and Marc Rotenberg (EPIC).
Contact Alan Westin 201/996-1154.
22nd Annual Computer Security Conference and Exhibition. Nov. 6-8,
Washington, DC. Sponsored by the Computer Security Institute.
Contact: 415-905-2626.
Global Security and Global Competitiveness: Open Source Solutions.
Nov. 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert Steele
oss@oss.net.
11th Annual Computer Security Applications Conference: Technical
papers, panels, vendor presentations, and tutorials that address the
application of computer security and safety technologies in the civil,
defense, and commercial environments. Dec. 11-15, 1995, New Orleans,
Louisiana. Contact Vince Reed at (205)890-3323 or vreed@mitre.org.
Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact cfp96@mit.edu or
http://www-swiss.ai.mit.edu/~switz/cfp96
Australasian Conference on Information Security and Privacy June
24-26, 1996. New South Wales, Australia. Sponsored by Australasian
Society for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (jennie@cs.uow.edu.au).
(Send calendar submissions to Alert@epic.org)
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe, send the message:
SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname
to listserv@cpsr.org. You may also receive the Alert by reading the
USENET newsgroup comp.org.cpsr.announce.
Back issues are available via http://www.epic.org/alert/ or
FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert/ and on Compuserve (Go
NCSA), Library 2 (EPIC/Ethics).
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues relating to the
National Information Infrastructure, such as the Clipper Chip, the
Digital Telephony proposal, medical record privacy, and the sale of
consumer data. EPIC is sponsored by the Fund for Constitutional
Government and Computer Professionals for Social Responsibility. EPIC
publishes the EPIC Alert and EPIC Reports, pursues Freedom of
Information Act litigation, and conducts policy research on emerging
privacy issues. For more information, email info@epic.org, WWW at
HTTP://www.epic.org or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax).
The Fund for Constitutional Government is a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights. Computer Professionals for Social Responsibility is a
national membership organization of people concerned about the impact
of technology on society. For information contact: cpsr-info@cpsr.org
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act
litigation, strong and effective advocacy for the right of privacy and
efforts to oppose government regulation of encryption and funding of
the National Wiretap Plan..
Thank you for your support.
------------------------ END EPIC Alert 2.09 ------------------------